ISO 26262, SOTIF, and Simulation in Autonomy Systems

May 11, 2020

Due to the proliferation of scenarios and edge cases in real world driving, virtual testing is an important component of autonomous system development along with real world tests. However, the industry needs to share common methodologies for how simulation is used for this purpose and how simulation standards interact with existing frameworks for safety critical development. In this post, the Applied team shares how simulation fits into frameworks for building safety critical systems, recent standardization efforts around this technology, and the requirements for simulation tools to support this use case.

Simulation Guidance From ISO/PAS 21448 (SOTIF) and ISO 26262

Two common frameworks relevant for automotive safety development are SOTIF and ISO 26262. While ISO 26262 is about functional safety, which is the reduction of safety risks from known component failures, the Safety of the Intended Functionality (SOTIF) is about ensuring the safety of a functionality for unforeseen scenarios that might be encountered by the system. Both of these need to be considered carefully to develop a safe autonomous driving system.

ISO 26262 has traditionally been used to develop safety systems and it lays out functional safety requirements aimed to prevent unreasonable risks due to system faults. The V-cycle development process (Figure 1) is a reference model for the product development cycle and ISO 26262 recommends the use of simulation at each level of the V-diagram. The evaluation of requirements, fault injection, and performance testing should be executed during unit and integration tests, while system testing calls for the hardware-in-the-loop (HIL) simulation to verify that software operates correctly on target hardware. Across all of these, simulations should cover dangerous situations broadly and make use of randomized tests to assess unknown risks.

Figure 1: V-model, a reference model for testing and validating autonomous vehicles

Due to a range of hazardous edge cases that might be encountered in autonomous driving, a relatively new standard based on SOTIF has emerged and attempts to ensure safe system operation in unexpected scenarios even in the absence of obvious system faults. SOTIF analysis should include the use of simulations for identifying hazards, root causes for issues, and how they relate to overall weaknesses of the autonomous system (Figure 2). Since many of these arise from corner cases, a vast number of scenarios needs to be tested given the complexity of real world driving. Therefore, simulation platforms need to support the creation and testing of millions of scenarios quickly.

Figure 2: Using simulation to identify how your AV responds to hazards in complex, real world situations

Simulation Standards

As more OEMs use third-party specialized simulation tools, it’s important that there are standards to enable interoperability with a variety of tools used in their overall autonomous vehicle development process. ASAM OpenX standards consist of OpenDRIVE, which defines a file format for the description of road networks (i.e. maps) and OpenSCENARIO, which defines a file format for the description of the dynamic content in simulation (i.e. driving maneuvers). These standards bring a number of benefits for developers, including but not limited to:

  • Create scenarios needed to validate specific safety requirements using any simulation platforms (in-house or third-party)
  • Support compliance with SOTIF and ISO 26262 by discovering or creating scenarios that are going to identify hazards or excessive risks in events of component failures
  • Scenarios can be shared across platforms to facilitate collaboration among teams inside a company, as well as between companies (e.g., OEMs and suppliers)
  • Regulators understand how OEMs test their autonomous systems and can better assess commercial readiness

Simulation Platform Requirements

A simulation platform for AV development needs to be custom-built in order to support the testing based on standards described above. Some of the key requirements include:

  • Easy creation of complex interactions: The simulation engine should allow developers to put the system under many edge case tests to support SOTIF analysis
  • Requirements traceability: The simulation platform should support careful traceability on both sides of the development V-cycle (Figure 1) to help teams understand high-level coverage and specific failures
  • Supporting unit and integration tests: Modular testing is important to identify issues and trace quality of subsystems
  • Repeatable results: The core simulation engine should provide identical results for a well-defined scenario across different compute platforms
  • Configurable fidelity: Both high-fidelity models such as detailed sensor models (Figure 3) and simple mathematical models are required in the platform to support AV teams while minimizing computational costs
  • HIL compliant: Complete system testing including hardware tests is important for final testing and needs to be supported by the simulation platform
Figure 3: Evaluate your perception requirements using accurate sensor models

How Applied Supports the AV Industry for Simulation

Applied has developed a simulation platform that supports the key requirements outlined above and adheres to the available industry standards for simulation. As a member of ASAM, Applied is also involved in initiatives related to these simulation standards. Automotive developers worldwide are using Applied’s tools to develop safety systems based on the frameworks described in this article. Simulation continues to be a key aspect of measuring safety of these systems and Applied continues to work closely with the industry on this challenge.

Do you want to learn more about simulations? Schedule time with our engineers!